Results 1 to 10 of 10

Thread: SPI capability

  1. #1
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    SPI capability

    Okay, here's my problem. I've finally gotten brave enough to connect my (NetGear) hardware router to the cable modem after being certain I had things rolling along the way I wanted them to. Well, it slowed down my connectivity to a crawl at times and then other times it would run along faster but still below the speed I was achieving by just using a cable modem and my software firewall. So I wrote to the Netgear forum asking what I could do. The response was to turn off SPI in the WAN settings and that it wouldn't hurt my security. So what does anyone think about this? Should I sacrifice speed which fell to under 3Mbps and downward at times and keep SPI checked? Or am I safe enough without it?


    "Peace begins with a smile. "-- Mother Teresa

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: SPI capability

    Does SPI stand for "stateful packet inspection"? This is the hardware firewall. One could argue that if you are using private addresses internally (e.g., 192.168.0.1), that is, you are running NAT (network address translation) plus a software firewall, then the SPI firewall hardly adds anything to the mix. Or perhaps the built-in SPI firewall is just badly coded or underpowered, because it shouldn't slow down normal traffic.

  3. #3
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: SPI capability of a router

    Does SPI stand for "stateful packet inspection"? And the answer is yes, that is what I was referring to. If this is the hardware's firewall and I have it turned off, then from what I am deciphering from your answer is that the router really won't be doing the job it was created for?

    Or perhaps the built-in SPI firewall is just badly coded or underpowered, because it shouldn't slow down normal traffic.

    I wouldn't know how to answer this supposition? I've not had any experience using a router until now. I did note on the router's website that they offer two beta firmware upgrades. I wonder if it would be worthwhile trying one of these on for size? I have thought about doing it but if it completely messes up the router, how to I return to the earlier version of the firmware? Do I just return to "factory defaults" or can I just upload the old version of the firmware which might be simpler to do? The router's page definitely says they will not offer support for anyone using their beta firmware. <img src=/S/sigh.gif border=0 alt=sigh width=15 height=15>


    "Peace begins with a smile. "-- Mother Teresa

  4. #4
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: SPI capability of router

    This is what I am concerned about. I haven't a clue about whatever is not behaving in this router that might be causing this. See my pic of current speed below! Anyone have any ideas? I do have an email request sent to their tech support and I am waiting for a reply from them. But I was hoping that maybe someone in our lounge might have a good solution since it apparently isn't a good idea to turn off the SPI capability.

    <img src=/S/thankyou.gif border=0 alt=thankyou width=40 height=15> for any suggestions, idea, etc. <img src=/S/yep.gif border=0 alt=yep width=15 height=15>

    ps: It is a netgear WGR614V6


    "Peace begins with a smile. "-- Mother Teresa

  5. #5
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: SPI capability of router

    That speed doesn't look too bad...

    Anyway, the first line of protection, as noted above, is NAT. If your router is assigning a private address to your computer, then that provides a significant degree of protection against unwanted traffic.

    The second line of protection would be the SPI firewall in the router.

    The question is whether your third line of protection, the software firewall on your computer, is sufficient so you can turn off the router's firewall. I think the answer is normally yes: as long as you are using a good software firewall that is configured to block incoming connections that you did not initiate.

    It's strange: you would think that offloading this filtering process to the router -- only letting good traffic through to your computer -- would improve the overall performance of your system, but apparently that assumption does not hold up in this case. So I think you should go ahead and turn off the SPI firewall if the other two measures are in place. (I'm even tempted to revisit the configuration of our Netgear wireless router at home now...)

  6. #6
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: SPI capability of router

    Thanks for replying! I did get an answer from Netgear Tech who instructed that I upgrade the firmware but it didn't give me any improvement in speed. So I sent them another email to answer.

    If I understand the NAT part of this, the router has assigned 192.168.1.1 to itself or the NIC card or whatever it assigns this number to. The ISP has a DHCP assigned IP number that is listed in the configuration page of the router.

    Since I have connected the router, my firewall doesn't show any blocked incoming hits now. I find that a bit odd? Has connection to the router sufficiently hidden my connection to the wide world of the Internet? I note when I go to pages like Shields Up, everything is "stealth" but the DHCP IP number that they show is mine so I can't be completely hidden.

    Any thoughts? I'll be interested to hear what you find when you check your Netgear router.

    Thanks again for tackling my crazy questions. It'd help if I knew more about what I am trying to ask? But then I wouldn't have to ask, would I? <img src=/S/laugh.gif border=0 alt=laugh width=15 height=15>


    "Peace begins with a smile. "-- Mother Teresa

  7. #7
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Quedgeley, Gloucester, England
    Posts
    5,333
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: SPI capability of router

    <hr>I note when I go to pages like Shields Up, everything is "stealth" but the DHCP IP number that they show is mine so I can't be completely hidden.<hr>
    Your router has this IP address, assigned by your ISP, so that you can access the internet! Their DHCP also assigns other IP addresses for you, like the default gateway and the DNS servers they want you to use.

    It soons gets very nerdy in there...!

    John
    <font face="Script MT Bold"><font color=blue><big><big>John</big></big></font color=blue></font face=script>

    Ita, esto, quidcumque...

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: SPI capability of router

    John saved the nerdy part for me...

    When you use NAT, your router has two addresses. The external address is the one supplied by your ISP and the internal address is one supplied by you. The internal address typically is along the lines of 192.168.0.1 (there are other, less used private ranges). Your computer is assigned a number in this sequence. You can view that number in a variety of ways. If your system tray/notification area has an icon for the connection, you can right-click, then Status, then Support tab. IP Address is you, and Gateway is your router. If you don't have that icon, you probably can get the same information from the Network Connections control panel. You also can obtain it using the program ipconfig (Start>Run>cmd -- then at the command prompt -- ipconfig /all).

    When your computer sends a request to the internet, the router stores your IP address in a table and assigns a new outgoing port number to your packet. It changes the originating address to your public IP address so that the response will come back to the router (it is useless to send packets with a private return address, they are not routeable). The server returns its response using the port number specified by the router, and the router then uses that information to determine which internal computer should receive the response. If the port number is not in the table of outbound communications, then the router should discard the incoming packet. In this manner, NAT automatically protects you from most random junk traffic. (The main exception is when you intentionally open a port, for example to participate in certain multi-player games. )

    Note: I think that's how it works, but I really don't know where I pick up these ideas. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

  9. #9
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,585
    Thanks
    5
    Thanked 1,059 Times in 928 Posts

    Re: SPI capability of router

    Check with your ISP on the MTU size you need and check the router configuration for that size. Most of the time it is 1500 but can be different.

    Joe
    Joe

  10. #10
    Bronze Lounger
    Join Date
    Feb 2001
    Posts
    1,424
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: SPI capability of router

    Well part of your reply I do understand. IP# have been assigned (not by me but automatically I guess) to the router - 192.168.1.1 and the cable modem 192.168.100.1 which are fairly standard internal numbers. By typing in the modem's IP #, I can check out the information it has about itself but it doesn't make any sense to me. The router lists the DHCP assigned IP # that my computer has currently.

    I have never understood the packet headers, proper addresses, etc. I do get the gist of the idea however since I know that the addresses have to match before something can be received but how it works is beyond me. I guess I am saved by not playing online games and I haven't opened any ports intentionally. <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

    To address Joe's suggestion, I've been through most everything on the ISP's website and cannot find a hint of what their MTU setting suggestion would be. I can try asking them, but they pretty much stipulate that if users want to incorporate routers fine, but they don't want to support them unless they have done the setting up. So I don't know if they will supply the information I ask for or not. Can't hurt to ask however. Currently the router is set for 1500 MTU.

    NetGear did respond with many things to try. They didn't say whether I should do them all at once or one at a time. <img src=/S/laugh.gif border=0 alt=laugh width=15 height=15> The tech in me says one at a time is best. #1 - turn off the software firewall. #2 adjust the MTU size to 1300, 1492, 1440 etc. So I tried each of these and it didn't make a difference. Then they wanted me to reset the router and start all over again - which I feel is rather useless but I might give it a go just so I can tell them it didn't make a difference. And who knows - maybe it will make a difference.....we'll see.

    Thanks for being interested in my problem.


    "Peace begins with a smile. "-- Mother Teresa

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •